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DETAILED ACTION 

• Applicant's submission for RCE filed on 6/30/2010 has been entered. Applicant 
has amended claims 1, 14-18, 20, 21, 28-31 and 33-36 and added claim 45-46. 
Currently claims 1-46 are pending in this application. 

Response to Arguments 

Applicant's arguments with respect to claims 36-44 have been considered but are 
moot in view of the new ground(s) of rejection. 

Applicant's arguments filed 5/27/2010, regarding claims 1, 21, 34 and 35 have 
been fully considered but they are not persuasive. 

• Applicant agues that, "As a result, Langford cannot teach or suggest an 
"encrypted sub-header including access rules applicable to the user or to a group 
to which the user belongs for the secured item," as recited in claim 1 , as the 
retrieved session key in Langford is not in any way "applicable to the user or to a 
group to which the user belongs," but rather is the same session key that would 
be obtained by any user or group. Each of the encrypted session keys in a given 
header Langford is the same, just encrypted by a different public key. (Langford, 
3:11-13and FIG. 1). 

• Examiner would like to point out that Langford was only relied upon to teach 
"retrieving at the first server machine, a user key permitting access to an 
individual encrypted sub-header of the secure item, the sub-header selected, 
from a group of individually encrypted sub-headers corresponding to other user 
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or groups based on the sub-header's correspondence to other users or groups to 
which the user belongs based on an identifier" and not the access rules within 
the encrypted header. Therefore, examiner agrees with the applicant that 
"Langford cannot teach or suggest an "encrypted sub-header including access 
rules applicable to the user or to a group to which the user belongs for the 
secured item," 

• Applicant further argues that, "Richards does not supply the missing teaching or 
suggestion. Although the Examiner relies on Richards to allegedly teach "a 
system where a given requester is permitted to access a secure item based on 
access rules stored in an encrypted header of a secure item" (Office Action, p. 7 
(citing Richards, Fig. 4 and paras. [0066]-[0068])),Richards also suffers from the 
deficiency of not teaching or suggesting "access rules applicable to the user or to 
a group to which the user belongs. " 

• Examiner respectfully disagrees and would like to point out that Richards 
explicitly discloses "access rules applicable to the user or to a group to which the 
user belongs" (see. Fig. 4 and Paragraphs 0068, "The policy component 114 
includes elements that define recipient's access rights to the data, such as the 
rights to "read/write", "save encoded", "save open", "no save", "server keyed", 
"render 1", "render 2", "Age 1", "Age 2", and "Use", etc."). Therefore, applicant's 
argument that Richards does not teach access rules applicable to the user or to a 
group to which the user belongs is not persuasive. As a result, the rejection of 
claims 1, 21, 34, and 35 is maintained. 
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Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-19. 21-32 and 34-46 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Russell et al. (WO 01/77783 A2). hereinafter. "Russell" in view of 
Lanqford et al. (US 6.266.420 B1 ). hereinafter. "Lanqford". and further in view of 
Richards et al. (US 2002/0016922 Al). hereinafter. "Richards". 

Regarding Claims 1 and 34, Russell discloses method and corresponding 
computer program for providing access management through use of a plurality of server 
machines associated with different locations (see, Fig. 1), said method comprising: 

receiving, at a first server machine of the plurality of server machines, an access 
request to access a secure item from a first client machine at a first location (see, page 
24, lines 2-7); 

authenticating a user of the first client machine at the first location (see, Page 1 1 , 
lines 30-31); 

authenticating the first client machine (See, Page 25, lines 6-14); 
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retrieving at the first server machine access rules for the secured item based on 
the success of said authentication of the user and authenticating of the first client 
machine (see, Page 25, lines 23-30); 

permitting access to the secure item via the first location based on success of 
said authenticating of the user and authenticating of the first client machine and further 
based on allowability by the access rules (see, page 11, lines 30-31 , Page 25, lines 6- 
14 and Page 26, lines 3-13); 

permitting access to the secure item via the first server machine based on said 
permitting access to the secure system via the first location permitting the user to gain 
access to the secure item from the first location (see, page 11, lines 30-31 , Page 25, 
lines 6-14 and Page 26, lines 3-13); and 

Russell discloses encrypting secure content to be delivered however, Russell 
does not explicitly teach retrieving at the first server machine a user key permitting 
access to an individually encrypted sub-header of the secured item and the sub-header 
selected, from a group of individually encrypted sub-headers corresponding to other 
user or groups, based on the sub-header's correspondence to other users or groups to 
the user or to a group to which the user belongs based on an identifier. 

Langford discloses retrieving at the first server machine, a user key permitting 
access to an individual encrypted sub-header of the secure item (see. Fig. 2, and also 
Column 1, lines 39-53, public key of the key pair), the sub-header selected, from a 
group of individually encrypted sub-headers corresponding to other user or groups (see. 
Fig. 1, each of the wrapped keys in the header), based on the sub-header's 
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correspondence to other users or groups to which the user belongs based on an 
identifier (see, Fig. 2, and also Column 1, lines 39-53, "The receiving party locates his 
copy of the wrapped key by the key identifier in the header. The recipient can then 
decrypt the symmetric key using his private key."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place file key of Russell into encrypted sub-headers 
as taught by Langford because "In this way, multiple recipients can each locate their 
wrapped copy of the symmetric key, unwrap the key, and then use the symmetric key to 
decrypt the message", (see, Langford, Column 1, lines 39-53) 

The combination of Russell and Langford discloses individually encrypted sub- 
headers but does not explicitly teach that the individually encrypted sub-header 
including access rules applicable to the user or to a group to which the user belongs for 
the secured item. 

However, Richards discloses a system where a given requester is permitted to 
access a secure item based on access rules applicable to the user stored in an 
encrypted header of a secure item (see. Fig. 4 and Paragraphs 0068, "The policy 
component 114 includes elements that define recipient's access rights to the data, such 
as the rights to "read/write", "save encoded", "save open", "no save", "server keyed", 
"render 1", "render 2", "Age 1", "Age 2", and "Use", etc."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place access rules, in the individual encrypted sub- 
headers of the combination of Russell and Langford, as taught by Richards because "all 
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encoded header data, database, and any other data are encoded as a single data file or 
streann being singular in type, the data may be checked by the application before 
opening via the various embedded hash elements. Accordingly, the security and 
integrity of the data is further maintained, firewall requirements are simplified, and the 
potential of firewall penetration is reduced" (see. Paragraph 0073). 

Regarding Claim 21 and 35, Russell discloses method and corresponding 
computer program for providing access management through use of a distributed 

network of server machines (see, Fig. 1), said method comprising: 

receiving, at a first server machine of the plurality of server machines, an access 
request to access a secure item from a first client machine (see, page 24, lines 2-7); 

authenticating a user of the client machine (see. Page 11, lines 30-31); 

authenticating the first client machine (See, Page 25, lines 6-14); 

upon successfully authenticating the user and authenticating the first client 
machine, retrieving access rules for the secure item (see. Page 25, lines 23-30); 

retrieving access privileges associated with the user (see. Page 25, lines 23-30); 

determining whether the user is permitted to gain access to the secure item via 
the first server machine based on success of said authentication the user and said 
authenticating the first client machine and further based on allowability by the access 
privileges and access rules (see, page 11, lines 30-31, Page 25, lines 6-14 and Page 
26, lines 3-13); 



Application/Control Number: 10/075,194 Page 8 

Art Unit: 2435 

permitting access to tlie secure item via tlie first server macfiine based on said 
determining whether the user is permitted to gain access to the secure item via the first 
server machine determining that the user is permitted to gain access to the secure item 
via the first server machine (see, page 1 1 , lines 30-31 , Page 25, lines 6-14 and Page 

26, lines 3-13); and 

Russell discloses encrypting secure content to be delivered however, Russell 
does not explicitly teach retrieving at the first server machine a user key permitting 
access to an individually encrypted sub-header of the secured item and the sub-header 
selected, from a group of individually encrypted sub-headers corresponding to other 
user or groups, based on the sub-header's correspondence to other users or groups to 
the user or to a group to which the user belongs based on an identifier. 

Langford discloses retrieving at the first server machine, a user key permitting 
access to an individual encrypted sub-header of the secure item (see, Fig. 2, and also 
Column 1, lines 39-53, public key of the key pair), the sub-header selected, from a 
group of individually encrypted sub-headers corresponding to other user or groups (see. 
Fig. 1, each of the wrapped keys in the header), based on the sub-header's 
correspondence to other users or groups to which the user belongs based on an 
identifier (see. Fig. 2, and also Column 1, lines 39-53, "The receiving party locates his 
copy of the wrapped key by the key identifier in the header. The recipient can then 
decrypt the symmetric key using his private key."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place file key of Russell into encrypted sub-headers 
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as taught by Langford because "In this way, multiple recipients can each locate their 
wrapped copy of the symmetric key, unwrap the key, and then use the symmetric key to 
decrypt the message", (see, Langford, Column 1, lines 39-53) 

The combination of Russell and Langford discloses individually encrypted sub- 
headers but does not explicitly teach that the individually encrypted sub-header 
including access rules applicable to the user or to a group to which the user belongs for 
the secured item. 

However, Richards discloses a system where a given requester is permitted to 
access a secure item based on access rules applicable to the user stored in an 
encrypted header of a secure item (see. Fig. 4 and Paragraphs 0068, "The policy 
component 114 includes elements that define recipient's access rights to the data, such 
as the rights to "read/write", "save encoded", "save open", "no save", "server keyed", 
"render 1", "render 2", "Age 1", "Age 2", and "Use", etc."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place access rules, in the individual encrypted sub- 
headers of the combination of Russell and Langford, as taught by Richards because "all 
encoded header data, database, and any other data are encoded as a single data file or 
stream being singular in type, the data may be checked by the application before 
opening via the various embedded hash elements. Accordingly, the security and 
integrity of the data is further maintained, firewall requirements are simplified, and the 
potential of firewall penetration is reduced" (see. Paragraph 0073). 
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Regarding Claim 2, the rejection of claim 1 is incorporated and the combination 
of Russell, Langford and Richards further discloses wherein said determining permitting 
access to the secure system via the first location comprises: obtaining access privileges 
associated with the user to determine at least one or more permitted locations for the 
user; and determining whether the user is permitted to gain access to the secure item 
from the first location based on the permitted locations associated with the user (see 
Russell, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3-13). 

Regarding Claim 3, the rejection of claim 1 is incorporated and the combination 
of Russell, Langford and Richards further discloses wherein permission by said 
permitting access to the secure system via the first location further comprises allowing 
access to the secure item from the first location via the first client machine and the first 
server machine (see Russell, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, 
lines 3-13). 

Regarding Claim 4, the rejection of claim 1 is incorporated and the combination 
of Russell, Langford and Richards further discloses wherein permission by said 
permitting access to the secure item via the first server machine further comprises 
allowing access to the secure item from the first location via the first client machine and 
the first server machine (see Russell, page 1 1 , lines 30-31 , Page 25, lines 6-1 4 and 
Page 26, lines 3-13). 

Regarding Claims 5 and 22, the rejections of claims 1 and 21 are incorporated 
and the combination of Russell, Langford and Richards further discloses preventing 
access to the secure item via any of the server machines other than the first server 
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machine based on permitting access to the secure item via the first server machine 
permitting the user to gain access to the secure item from the first location (see Russell, 
Page 29, lines 1-4). 

Regarding Claims 6 and 23, the rejection of claims 1 and 21 are incorporated 

and the combination of Russell, Langford and Richards further discloses wherein said 
permitting access to the secure system via the first location comprises determining 
whether the user is permitted to gain access to the secure item via the first client 
machine and the first server machine, and wherein said permitting access to the secure 
item via the first server machine operates to permit the user to gain access to the 
secure item via the first client machine and the first server machine based on said 
permitting access to the secure system via the first location determining that the user is 
permitted to gain access to the secure item via both the first client machine and the first 
server machine (see Russell, page 11, lines 30-31, Page 25, lines 6-14 and Page 26, 
lines 3-13). 

Regarding Claim 24, the rejections of claim 23 is incorporated and the 
combination of Russell, Langford and Richards further discloses preventing access to 
the secure item via any of the server machines other than the first server machine when 
said determining whether the user is permitted to gain access to the secure item via the 
first server machine determines that the user is permitted to gain access to the secure 
item from the first location (see Page 29, lines 1-4). 

Regarding Claim 7, the rejection of claim 1 is incorporated and the combination 
of Russell, Langford and Richards further discloses wherein said permitting access to 
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the secure system via tlie first location comprises determining whether the user is 
permitted to gain access to the secure item via the first server machine, and wherein 
said permitting access to the secure item via the first server machine operates to permit 
the user to gain access to the secure item via the first server machine based on said 
permitting access to the secure system via the first location determining that the user is 
permitted to gain access to the secure item via the first server machine (see Russell, 
page 1 1 , lines 30-31 , Page 25, lines 6-14 and Page 26, lines 3-13). 

Regarding Claim 8, the rejection of claim 1 is incorporated and the combination 
of Russell, Langford and Richards further discloses wherein said permitting access to 
the secure system via the first location comprises determining whether the user is 
permitted to gain access to the secure item via the first client machine, and wherein said 
permitting access to the secure item via the first server machine operates to permit the 
user to gain access to the secure item via the first client machine based on said 
permitting access to the secure system via the first location determining that the user is 
permitted to gain access to the secure item via the first client machine (see Russell, 
page 11, lines 30-31, Page 25, lines 6-14 and Page 26, lines 3-13). 

Regarding Claim 9, the rejection of claim 1 is incorporated and the combination 
of Russell, Langford and Richards further discloses preventing the user from gaining 
access to the secure item via any of the server machines other than the first server 
machine based on said permitting access to the secure system via the first location 
determining that the user is permitted to gain access to the secure item from the first 
location (see Page 29, lines 1-4). 
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Regarding Claims 10 and 25, rejections of claims 9 and 24 are incorporated and 
the combination of Russell, Langford and Richards further discloses 

wherein said preventing the user from gaining access to the secure item via any 
of the server machines other than the first server machine comprises reconfiguring at 
least one of the server machines that previously permitted the user to gain access to the 
secure item therethrough (see, Russell, Page 25, line 22- Page 26, line 2). 

Regarding Claims 11 and 26, the rejections of claims 10 and 25 are 
incorporated and the combination of Russell, Langford and Richards further discloses 
said permitting access to the secure item via the first server machine comprises 
reconfiguring the first server machine to permit access by the user to the secure item 
via the first server machine (see, Russell, Page 24, lines 14-22). 

Regarding Claim 12, the rejection of claim 13 is incorporated and the 
combination of Russell, Langford and Richards further discloses wherein said permitting 
access to the secure system via the first location comprises: obtaining access privileges 
associated with the user to determine at least one or more permitted locations for the 
user (see, Russell, Page 25, lines 11-14); and determining whether the user is permitted 
to gain access to the secure item from the first location based on the permitted locations 
associated with the user (see, Russell, Page 25, lines 11-14). 

Regarding Claims 13 and 27, rejections of claims 1 and 21 are incorporated and 
the combination of Russell, Langford and Richards further discloses wherein said 
permitting access to the secure item via the first server machine comprises 
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reconfiguring the first server machine to permit access by the user to the secure item 
via the first server machine (see, Russell, Page 24, lines 14-22). 

Regarding Claims 14 and 28, rejections of claims 13 and 21 are incorporated 
and the combination of Russell, Langford and Richards further discloses wherein 
receiving the access request comprises receiving the access request to access the 
secure item comprising a secured file, the secured file having a format that comprises a 
header including security information as to who and how access to the secure item is 
permitted (see, Richards, Fig. 4 and Paragraphs 0066-0068); an encrypted data portion 
including data of the secured file encrypted with a file key according to a predetermined 
cipher scheme, and wherein the header is attached to the encrypted data portion to 
generate the secured file (see, Langford, Fig. 1). 

Regarding Claims 15 and 29, rejections of claims 14 and 28 are incorporated 
and the combination of Russell, Langford and Richards further discloses wherein 
receiving the access request comprises receiving the access request to access the 
secure item comprising a secured file the security information in the header of the 
secured file facilitates the restricted access to the secured file (see, Richards, Fig. 4 and 
Paragraphs 0066-0068). 

Regarding Claim 16, the rejection of claim 15 is incorporated and the 
combination of Russell, Langford and Richards further discloses wherein receiving the 
access request comprises receiving the access request to access the secure item 
comprising a secured file the security information in the header of the secured file points 
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to or includes the access rules and a file key (see, Langford, Fig. 1 as combined with 
Richards, Fig. 4 and Paragraphs 0066-0068). 

Regarding Claims 17 and 30, rejection of claims 14, and 28 are incorporated 
and the combination of Russell, Langford and Richards further discloses wherein 
receiving the access request comprises receiving the access request to access the 
secure item comprising a secured file the security information is encrypted with a user 
key associated with the user (see, Langford, Fig. 1). 

Regarding Claims 18 and 31, rejections of claims 14 and 28 are incorporated 
and the combination of Russell, Langford and Richards further discloses wherein 
receiving the access request comprises receiving the access request to access the 
secure item comprising a secured file the security information includes the file key and 
access rules to the restricted access to the secured file (see, Langford, Fig. 1 as 
combined with Richards, Fig. 4 and Paragraphs 0066-0068). 

Regarding Claims 19 and 32, rejections of claims 18 and 28 are incorporated 
and the combination of Russell, Langford and Richards further discloses wherein the file 
key is retrieved to decrypt the encrypted data portion in the secured file based on 
access privilege of the user being within access permissions by the access rules (see, 
Langford, Fig. 1 as combined with Richards, Fig. 4 and Paragraphs 0066-0068). 

Regarding Claim 36, Russell discloses an access control system that restricts 
access to a secure item (see. Fig. 1), said system comprising: 
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a central server having a server module that provides overall access control (see, 
page 16, lines 18-23); and 

a plurality of local servers, each of said servers including a local module that 
provides local access control (see. Page 24, lines 14-22), 

wherein the access control, performed by said central server or said local 
servers, operates to permit or deny access requests to secured items by requestors 
(see. Page 16, lines 18-23), and 

permitted to access the secure item through one or more of said local servers, is 
only able to access the secure item using only a single one of said local servers or the 
central server such that the given requestor is only permitted to access the secure item 
through at most one of said local servers at a time (see. Page 24, 14-22). 

Russell discloses controlling access to a secure file. Russell does not explicitly 
discloses retrieving at the first server machine, a user key permitting access to an 
individual encrypted sub-header of the secure item and wherein the individually 
encrypted sub-header is selected for decryption by the given requestor from a group of 
one or more additional individually encrypted sub-headers corresponding to other 
requestors or groups to which the other requestors belong based on correspondence of 
the individually encrypted sub-header to an identifier for the given requestor or to a 
group to which the requestor belongs. 

Langford discloses individually encrypted sub-headers and wherein the 
individually encrypted sub-header (see. Fig. 1, each of the wrapped keys in the header) 
is selected for decryption by the given requestor from a group of one or more additional 
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individually encrypted sub-headers corresponding to other requestors or groups to 
which the other requestors belong based on correspondence of the individually 
encrypted sub-header to an identifier for the given requestor or to a group to which the 
requestor belongs (see, Fig. 2, and also Column 1, lines 39-53, "The receiving party 
locates his copy of the wrapped key by the key identifier in the header. The recipient 
can then decrypt the symmetric key using his private key."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place file key of Russell into encrypted sub-headers 
as taught by Langford because "In this way, multiple recipients can each locate their 
wrapped copy of the symmetric key, unwrap the key, and then use the symmetric key to 
decrypt the message", (see, Langford, Column 1, lines 39-53). 

The combination of Russell and Langford discloses individually encrypted sub- 
headers but does not explicitly teach the information stored in the individually encrypted 
sub-header of the secure item comprising access rules applicable to the requestor or to 
a group to which the requestor belongs. 

However, Richards discloses a system where a given requester is permitted to 
access a secure item based on access rules applicable to the requestor stored in an 
encrypted header of a secure item (see, Fig. 4 and Paragraphs 0068, "The policy 
component 114 includes elements that define recipient's access rights to the data, such 
as the rights to "read/write", "save encoded", "save open", "no save", "server keyed", 
"render 1", "render 2", "Age 1", "Age 2", and "Use", etc."). 
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Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place access rules, in the individual encrypted sub- 
headers of the combination of Russell and Langford, as taught by Richards because "all 
encoded header data, database, and any other data are encoded as a single data file or 
stream being singular in type, the data may be checked by the application before 
opening via the various embedded hash elements. Accordingly, the security and 
integrity of the data is further maintained, firewall requirements are simplified, and the 
potential of firewall penetration is reduced" (see. Paragraph 0073). 

Regarding Claim 37, the rejection of claim 36 is incorporated and the 
combination of Russell and Langford further discloses wherein said access control 
system couples to an enterprise network to restrict access to the secure item, which 
comprises a secured file, stored therein (see Russell, Fig. 3). 

Regarding Claim 38, the rejection of claim 37 is incorporated and the 
combination of Russell and Langford further discloses wherein the access requests are 
at least primarily processed in a distributed manner by said local servers (see, Russell, 
Page 24, lines 14-22). 

Regarding Claim 39, the rejection of claim 38 is incorporated and the 
combination of Russell and Langford further discloses wherein the requestors gain 
access to the secured files without having to access said central server based on 
processing of the access requests by said local servers (see, Russell, Page 24, lines 
14-22). 
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Regarding Claim 40, the rejection of claim 37 is incorporated and the 
combination of Russell and Langford further discloses wherein the local module is a 
copy of the server module so any of the local modules can operate independent operate 
independently of said central server and other of said local servers (see. Page 23, lines 
19-22). 

Regarding Claim 41, the rejection of claim 37 is incorporated and the 
combination of Russell and Langford further discloses wherein the local module is a 
subset of the server module (see, Russell, Page 18, lines 15-17). 

Regarding Claim 42, the rejection of claim 42 is incorporated and the 
combination of Russell and Langford further discloses wherein access permissions for 
said local servers is dynamically configured to pass a requestor from one of said local 
servers to another of said local servers, thereby enabling access control to be 
performed by the another of said local servers such as a change of the location of the 
requestor (see, Page 20, lines 16-31). 

Regarding Claim 43, the rejection of claim 37 is incorporated and the 
combination of Russell and Langford further discloses wherein the secured files are 
secured by encryption of the secure item (see, Page 9, lines 6-7). 

Regarding Claim 44, the rejection of claim 37 is incorporated and the 
combination of Russell and Langford further discloses wherein the secure item are 
secured by encryption (see, page 9, lines 6-7). 
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Regarding Claim 45, Russell discloses method for providing access 
management through use of a plurality of server machines associated with different 
locations (see. Fig. 1), said method comprising: 

receiving, at a first server machine of the plurality of server machines, an access 
request to access a secure item from a first client machine at a first location(see, page 
24, lines 2-7); 

authenticating a user of the first client machine (see. Page 1 1 , lines 30-31 ); 

authenticating the first client machine (See, Page 25, lines 6-14); 

retrieving at the first server machine, based on the success of said authentication 
of the user and authenticating of the first client machine access privileges associated 
with the user (see, page 25, lines 23-30); 

permitting access to the secure item via the first location based on success of 
said authenticating of the user and authenticating of the first client machine and further 
based on allowability by the access rules (see, page 1 1 , lines 30-31 , Page 25, lines 6- 
14 and Page 26, lines 3-13); 

preventing access to the secure item via the first server machine based on said 
permitting access to the secure system via the first location not permitting the user to 
gain access to the secure item from the first location (see Page 26, lines 7-9). 

Russell discloses encrypting secure content to be delivered however, Russell 
does not explicitly teach retrieving at the first server machine a user key permitting 
access to an individually encrypted sub-header of the secured item and the sub-header 
selected, from a group of individually encrypted sub-headers corresponding to other 
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user or groups, based on the sub-header's correspondence to other users or groups to 
the user or to a group to which the user belongs based on an identifier. 

Langford discloses retrieving at the first server machine, a user key permitting 
access to an individual encrypted sub-header of the secure item (see. Fig. 2, and also 
Column 1 , lines 39-53, public key of the key pair), the sub-header selected, from a 
group of individually encrypted sub-headers corresponding to other user or groups (see. 
Fig. 1, each of the wrapped keys in the header), based on the sub-header's 
correspondence to other users or groups to which the user belongs based on an 
identifier (see, Fig. 2, and also Column 1, lines 39-53, "The receiving party locates his 
copy of the wrapped key by the key identifier in the header. The recipient can then 
decrypt the symmetric key using his private key."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place file key of Russell into encrypted sub-headers 
as taught by Langford because "In this way, multiple recipients can each locate their 
wrapped copy of the symmetric key, unwrap the key, and then use the symmetric key to 
decrypt the message", (see, Langford, Column 1, lines 39-53) 

The combination of Russell and Langford discloses individually encrypted sub- 
headers but does not explicitly teach that the individually encrypted sub-header 
including access rules applicable to the user or to a group to which the user belongs for 
the secured item. 

However, Richards discloses a system where a given requester is permitted to 
access a secure item based on access rules applicable to the user stored in an 
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encrypted header of a secure item (see, Fig. 4 and Paragraphs 0068, "The policy 
component 114 includes elements that define recipient's access rights to the data, such 
as the rights to "read/write", "save encoded", "save open", "no save", "server keyed", 
"render 1", "render 2", "Age 1", "Age 2", and "Use", etc."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place access rules, in the individual encrypted sub- 
headers of the combination of Russell and Langford, as taught by Richards because "all 
encoded header data, database, and any other data are encoded as a single data file or 
stream being singular in type, the data may be checked by the application before 
opening via the various embedded hash elements. Accordingly, the security and 
integrity of the data is further maintained, firewall requirements are simplified, and the 
potential of firewall penetration is reduced" (see. Paragraph 0073). 

Regarding Claim 46, Russell discloses method for providing access 
management through use of a distributed network of server machines (see, Fig. 1), said 
method comprising: 

receiving, at a first server machine of the plurality of server machines, an access 
request to access a secure item from a first client machine (see, page 24, lines 2-7); 
authenticating a user of the first client machine (see. Page 1 1 , lines 30-31 ); 
authenticating the first client machine (See, Page 25, lines 6-14); 
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upon successfully authenticating the user and authenticating the first client 
machine, retrieving at the first server machine access privileges associated with the 
user (see, page 25, lines 23-30); 

determining whether the user is permitted to gain access to the secure item via 
the first server machine based on success of said authenticating the user and said 
authenticating the first client machine, and further based on allowability by the access 
privileges and access rules (see, page 11, lines 30-31, Page 25, lines 6-14 and Page 
26, lines 3-13); and 

preventing access to the secure item via the first server machine based on said 
determining whether the user is permitted to gain access to the secure item via the first 
server machine determining that the user is not permitted to gain access to the secure 
item via the first server machine (see Page 26, lines 7-9). 

Russell discloses encrypting secure content to be delivered however, Russell 
does not explicitly teach retrieving at the first server machine a user key permitting 
access to an individually encrypted sub-header of the secured item and the sub-header 
selected, from a group of individually encrypted sub-headers corresponding to other 
user or groups, based on the sub-header's correspondence to other users or groups to 
the user or to a group to which the user belongs based on an identifier. 

Langford discloses retrieving at the first server machine, a user key permitting 
access to an individual encrypted sub-header of the secure item (see. Fig. 2, and also 
Column 1, lines 39-53, public key of the key pair), the sub-header selected, from a 
group of individually encrypted sub-headers corresponding to other user or groups (see. 
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Fig. 1 , each of the wrapped keys in the header), based on the sub-header's 
correspondence to other users or groups to which the user belongs based on an 
identifier (see. Fig. 2, and also Column 1, lines 39-53, "The receiving party locates his 
copy of the wrapped key by the key identifier in the header. The recipient can then 
decrypt the symmetric key using his private key."). 

Therefore, It would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place file key of Russell into encrypted sub-headers 
as taught by Langford because "In this way, multiple recipients can each locate their 
wrapped copy of the symmetric key, unwrap the key, and then use the symmetric key to 
decrypt the message", (see, Langford, Column 1, lines 39-53) 

The combination of Russell and Langford discloses individually encrypted sub- 
headers but does not explicitly teach that the individually encrypted sub-header 
Including access rules applicable to the user or to a group to which the user belongs for 
the secured Item. 

However, Richards discloses a system where a given requester is permitted to 
access a secure item based on access rules applicable to the user stored in an 
encrypted header of a secure Item (see, Fig. 4 and Paragraphs 0068, "The policy 
component 114 Includes elements that define recipient's access rights to the data, such 
as the rights to "read/write", "save encoded", "save open", "no save", "server keyed", 
"render 1", "render 2", "Age 1", "Age 2", and "Use", etc."). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to place access rules, in the individual encrypted sub- 
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headers of the combination of Russell and Langford, as taught by Richards because "all 
encoded header data, database, and any other data are encoded as a single data file or 
stream being singular in type, the data may be checked by the application before 
opening via the various embedded hash elements. Accordingly, the security and 
integrity of the data Is further maintained, firewall requirements are simplified, and the 
potential of firewall penetration is reduced" (see. Paragraph 0073). 

Claims 20 and 33 are reiected under 35 U.S.C. 103(a) as being unpatentable 
over Russell in view of Langford and Richards and further in view of Brown et al. (US 
2003/0050919 A1 ). hereinafter "Brown". 

Regarding Claims 20 and 33, rejections of claims 18 and 31 are incorporated 
and the combination of Russell, Langford and Richards further discloses receiving the 
access request comprises receiving the access request to access the secure item 
comprising a secured file with the access rule but does not explicitly disclose access 
rules expressed in a markup language. 

However, Brown discloses access rules expressed in a markup language (see. 
Fig. 5A and Paragraph 0052). 

Therefore, it would have been obvious at the time invention was made to a 
person of ordinary skill in the art to express the access rules of the combined system of 
Russell, Langford and Richards in a markup language as taught by Brown because 
XML is a text-based and platform independent markup language, as a result distributor 
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server would be able to enforce and distribute the content with policies to all client 
having any type of operating system platform. 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to YOGESH PALIWAL whose telephone number is 
(571)270-1807. The examiner can normally be reached on M-F 9:00 - 5:00 EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 5712723859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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